Privacy in Canada Rises From the Ashes

It's a time of transition for privacy in Canada. On Jan. 1, the Canadian national privacy law - the Personal Information Protection and Electronic Documents Act, or PIPEDA - took full effect. The act now covers the collection, use or disclosure of personal information in the course of any commercial activity within a province, including provincially regulated organizations. It also covers the Canadian health sector. Companies all over Canada are scrambling to figure out how to comply.

Canada also has a new privacy commissioner: Jennifer Stoddard, formerly president of the Quebec Commission on Access to Information (the provincial privacy commission). Stoddard is knowledgeable, well-versed in privacy, innovative and just what Canada needs after the privacy scandal that occurred under former commissioner George Radwanski.

The Radwanski affair was breathtaking. Radwanski had been in office for a few years, during which time he managed to alienate almost everyone in the Canadian government, the Canadian privacy community and the international privacy community. He managed this not so much by what he did but how he did it. When the crisis came, Radwanski had no allies anywhere. Not that it would have mattered, because the scandal was so colossal that no one could have saved him.

His downfall began when he sent a relatively routine letter to Parliament. An M.P. who Radwanski had insulted asked why a paragraph acknowledging the commissioner's subservience to Parliament was missing from the letter. The commissioner is a creature of the Parliament, and the missing paragraph was boilerplate. Only an annoyed M.P. would have noticed or asked about the missing language.

From this inquiry, Radwanski's world fell apart like a cheap suit. It began with finger-pointing about who was responsible for the letter. Radwanski lied and blamed his staff. That turned out to be a big mistake because his staff members turned on him. They hated him just like everyone else, and perhaps more.

It isn't possible here to describe everything that Radwanski did. His expense account abuse was spectacular. He spent enormous amounts of government money flying to privacy conferences worldwide. His pattern was to show up at the conference to make a speech, then disappear for the rest of the time. I saw him do this myself. While the other privacy officials stayed at the meeting, Radwanski was presumably sightseeing.

His expense account also revealed expansive use of government money for meals. Unlike U.S. officials, officials in Canada have an expense account for hospitality. I was once the beneficiary of a $15 (Canadian!) lunch courtesy of a former privacy commissioner. Radwanski raised the art of dining out to a new level. He spent hundreds of dollars taking his executive assistant out to lunch. That's hundreds of dollars for one meal for two. Then she would return the favor by taking him out to dinner. All on the government, of course.

Radwanski's dining habits became a joke all over Canada, but that was only the start. He ran his office in blatant disregard of the rules. He promoted and paid people as he pleased. He hired his son's girlfriend to do work for which she was not qualified and at a large salary. This was just one of numerous personnel irregularities.

It also came out that Radwanski had declared bankruptcy just before he was appointed to his job by the prime minister. Radwanski used bankruptcy to evade hundreds of thousands of dollars in unpaid taxes. This revelation embarrassed the prime minister personally, and the clearance process for Canadian political appointments changed permanently as a result.

Though Radwanski resigned months ago, new revelations still are emerging. A recent one involved loans made to him by his chief of staff. At the same time, the staffer received large pay increases.

As an independent observer who followed the day-to-day story last year, I was amused and appalled. My Canadian colleagues were just appalled. They feared Radwanski's antics would undermine the commissioner's office and the hard-fought privacy legislative victories of the past few years.

Now that we are a few months beyond Radwanski's resignation, it seems clear that privacy and the commissioner's office both survived the scandal. Radwanski's abuse and greed were wholly personal. So far at least, no one has found that he was selling favorable privacy decisions out of the trunk of his car.

Radwanski was replaced temporarily by a well-known, respected parliamentary officer, and this calmed things while the investigations continued. Then Stoddard was selected as the new commissioner through a relatively public process. These actions helped separate the office from the scandal, though quite a few innocent and not-so-innocent staffers were caught up in one way or another.

PIPEDA is now moving full steam ahead, and U.S. companies with Canadian offices should be paying attention. PIPEDA is cut from the same mold as the European Union Data Protection Directive, but it is also very Canadian. It neatly sidesteps data export control questions that have bedeviled the United States and the EU by saying nothing directly on the subject. But that doesn't mean U.S. companies can get away with ignoring Canadian law or that exports are free from any restrictions.

If you run into trouble with your Canadian operations, however, don't think about hiring Radwanski to help you out. He is one of the most disgraced people in Canadian history.